AWS Security ChangesHomeSearch

AWS inspector documentation change

Service: inspector · 2025-06-19 · Documentation low

File: inspector/latest/user/scanning-resources.md

Summary

Updated EC2 scanning section with details about hybrid scanning mode and agentless scanning. Added ECR scanning details with repository conversion rules and monitoring duration. Restructured sections for Code Security and Lambda scanning types with expanded explanations.

Security assessment

The changes enhance documentation about security scanning capabilities (CVEs, network exposure, code vulnerabilities) but do not indicate fixes for specific vulnerabilities. Updates focus on explaining existing security features rather than addressing newly discovered issues.

Diff

diff --git a/inspector/latest/user/scanning-resources.md b/inspector/latest/user/scanning-resources.md
index beb1deadd..267826afd 100644
--- a//inspector/latest/user/scanning-resources.md
+++ b//inspector/latest/user/scanning-resources.md
@@ -34 +34 @@ Lambda code scanning is an optional layer of Lambda function scanning that you c
-Amazon Inspector offers different scan types that focus on specific resource types in your AWS environment. 
+Amazon Inspector provides different scan types, which focus on specific resource types in your AWS environment. 
@@ -39,9 +39 @@ Amazon Inspector offers different scan types that focus on specific resource typ
-When you activate Amazon EC2 scanning, Amazon Inspector scans your EC2 instances for the following: 
-
-  * Common vulnerabilities and exposures 
-
-  * Operating system and programming language package vulnerabilities 
-
-  * Network reachability 
-
-  * Network exposure issues 
+When you activate Amazon EC2 scanning, Amazon Inspector scans your EC2 instances for common vulnerabilities and exposures (CVEs), network exposure issues, network reachability issues, operating system and programming language package vulnerabilities. Amazon Inspector performs scans through the use of the SSM agent installed on your instance or through Amazon EBS snapshots of instances. For more information, see [Scanning Amazon EC2 instances with Amazon Inspector](./scanning-ec2.html). By default, when you activate Amazon EC2 scanning, you automatically enable hybrid scanning mode. For more information, see [Agentless scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html#agentless). 
@@ -48,0 +41 @@ When you activate Amazon EC2 scanning, Amazon Inspector scans your EC2 instances
+**Amazon ECR scanning**
@@ -50,0 +44 @@ When you activate Amazon EC2 scanning, Amazon Inspector scans your EC2 instances
+When you activate Amazon ECR scanning, Amazon Inspector converts all of the repositories in your private registry from basic scanning container repositories to enhanced scanning repositories. You can configure this setting with inclusion rules to scan on-push only or to scan select repositories. Amazon Inspector scans all images pushed within the last 30 days or pulled within the last 90 days. Amazon Inspector continues to monitor images for 90 days by default. You can change this setting at any time. For more information, see [Scanning Amazon Elastic Container Registry container images with Amazon Inspector](./scanning-ecr.html). 
@@ -52 +46 @@ When you activate Amazon EC2 scanning, Amazon Inspector scans your EC2 instances
-Amazon Inspector performs scans through the use of the SSM agent installed on your instance or through Amazon EBS snapshots of instances. For more information about scans for Amazon EC2, see [Scanning Amazon EC2 instances with Amazon Inspector](./scanning-ec2.html). 
+**Code Security**
@@ -54 +47,0 @@ Amazon Inspector performs scans through the use of the SSM agent installed on yo
-###### Note
@@ -56 +49 @@ Amazon Inspector performs scans through the use of the SSM agent installed on yo
-By default, when you activate Amazon EC2 scanning, you automatically enable hybrid scanning mode. For more information, see [Agentless scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning-ec2.html#agentless). 
+When you activate Code Security, Amazon Inspector scans first-party application code, third-party application dependencies, and Infrastructure as Code for vulnerabilities. For more information, see [Code Security for Amazon Inspector](https://docs.aws.amazon.com/nspector/latest/user/code-security-assessments.html). 
@@ -58 +51 @@ By default, when you activate Amazon EC2 scanning, you automatically enable hybr
-**Amazon ECR scanning**
+**Lambda standard scanning**
@@ -61 +54 @@ By default, when you activate Amazon EC2 scanning, you automatically enable hybr
-When you activate Amazon ECR scanning, Amazon Inspector converts all **Basic scanning** container repositories in your private registry to **Enhanced scanning** with continual scanning. You can also optionally configure this setting to scan on-push only or to scan select repositories through scan filters. All images pushed within the last 14 days, or pulled within the last 14 days are initially scanned. Amazon Inspector continues to monitor images for a 14 day duration by default, this setting can be changed at any time. For more information about scans for Amazon ECR, see [Scanning Amazon Elastic Container Registry container images with Amazon Inspector](./scanning-ecr.html).
+When you activate Lambda standard scanning, Amazon Inspector discovers all of the Lambda functions in your account and immediately scans them for vulnerabilities. Amazon Inspector scans new Lambda functions and layers when they're deployed. Amazon Inspector rescans them when they're updated or when new CVEs are published. For more information, scanning, see [Scanning AWS Lambda functions with Amazon Inspector](./scanning-lambda.html). 
@@ -63 +56 @@ When you activate Amazon ECR scanning, Amazon Inspector converts all **Basic sca
-**Lambda standard scanning**
+**Lambda standard scanning + Lambda code scanning**
@@ -66 +59 @@ When you activate Amazon ECR scanning, Amazon Inspector converts all **Basic sca
-When you activate Lambda standard scanning, Amazon Inspector discovers the Lambda functions in your account and immediately starts scanning them for vulnerabilities. Amazon Inspector scans new Lambda functions and layers when they're deployed, and rescans them when they're updated or when new Common Vulnerabilities and Exposures (CVEs) are published. For more information about Lambda function scanning, see [Scanning AWS Lambda functions with Amazon Inspector](./scanning-lambda.html).
+When you activate Lambda code scanning, Amazon Inspector discovers the Lambda functions and layers in your account and scans them for code vulnerabilities. This type of scanning evaluates application package dependencies used in a Lambda function for CVEs. When you activate this scan type, you also activate Lambda standard scanning. For more information, see [Scanning AWS Lambda functions with Amazon Inspector](./scanning-lambda.html). 
@@ -68 +61 @@ When you activate Lambda standard scanning, Amazon Inspector discovers the Lambd
-**Lambda standard scanning + Lambda code scanning**
+**Code Security for Amazon Inspector**
@@ -71 +64 @@ When you activate Lambda standard scanning, Amazon Inspector discovers the Lambd
-This option combines Lambda standard scanning with Lambda code scanning. When Lambda code scanning is activated Amazon Inspector discovers the Lambda functions and layers in your account and scans for code vulnerabilities your application package dependencies. Lambda code scanning scans the custom application code in your Lambda functions for code vulnerabilities. These two scan types must be activated together. For more information see [Amazon Inspector Lambda code scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning_resources_lambda_code.html). 
+This scan type leverages the Amazon Q Developer scanning engine to scan first-party application code, third-party application dependencies, and Infrastructure as Code for vulnerabilities For more information, see [Code Security for Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/code-security-assessments.html).